Skip to content
Tech News
← Back to articles

Microsoft links Medusa ransomware affiliate to zero-day attacks

2026-04-06 | original
read original get Cybersecurity USB Data Blocker → more articles
Why This Matters

Microsoft has linked the China-based Storm-1175 cybercriminal group to rapid, high-impact attacks exploiting both known and zero-day vulnerabilities to deploy Medusa ransomware. Their swift and sophisticated attack chain poses significant risks to critical sectors worldwide, highlighting the importance of proactive vulnerability management and cybersecurity vigilance. This development underscores the evolving threat landscape and the need for organizations to stay ahead of emerging exploits.

Key Takeaways

Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity attacks.

This cybercrime gang quickly shifts to targeting new security vulnerabilities to gain access to its victims' networks, weaponizing some of them within a day and, in some cases, exploiting them a week before patches are released.

"Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours," Microsoft said.

"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."

Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.

Storm-1175 attack chain (Microsoft)

In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT vulnerability (CVE-2025-10035) in Medusa ransomware attacks for over one week before it was patched.

Another vulnerability Storm-1175 exploited as a zero-day was CVE-2026-23760, an authentication bypass in SmarterTools' SmarterMail email server and collaboration tool.

"While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," Microsoft added.

"These factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities."

... continue reading

Explore topics: medusa ransomware storm-1175 goanywhere mft cve-2025-10035 microsoft
Related:
Why Microsoft is forcing Windows 11 25H2 update on all eligible PCs
Microsoft removes Support and Recovery Assistant from Windows
Microsoft is going to force-update Windows 11 to version 25H2 using machine learning
Microsoft Says You’re Not Supposed to Take Copilot’s Advice Seriously
AI data center boom ‘stress tests’ insurers as private capital floods in

© 2026 GoKawiil

About | Editorial Policy | Contact